Bug 36083 - REGRESSION (r55772-r55834): Crash in JavaScriptCore RegExp code on PowerPC
Summary: REGRESSION (r55772-r55834): Crash in JavaScriptCore RegExp code on PowerPC
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: Mac (PowerPC) OS X 10.5
: P1 Critical
Assignee: Nobody
URL: http://groups.google.com/group/jquery...
Keywords: InRadar, Regression
: 36086 36087 36090 36126 (view as bug list)
Depends on:
Blocks:
 
Reported: 2010-03-12 20:52 PST by Kevin M. Dean
Modified: 2010-03-16 16:15 PDT (History)
4 users (show)

See Also:

Attachments
Crashlog (35.16 KB, text/plain)
2010-03-12 20:52 PST, Kevin M. Dean 		no flags Details
The patch (2.27 KB, patch)
2010-03-16 15:55 PDT, Gavin Barraclough 		oliver: review+
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Kevin M. Dean 2010-03-12 20:52:25 PST 
Created attachment 50651 [details]
Crashlog

I've crashed 9 times over the last 2 days on various different sites. The google site listed above is just one of them.

They all show the same crash information. (Full log as attachment).


Thread 0 Crashed:
0   com.apple.JavaScriptCore      	0x00609400 __ZL5matchPKtPKhiR9MatchData + 11856
1   com.apple.JavaScriptCore      	0x0060a780 jsRegExpExecute(JSRegExp const*, unsigned short const*, int, int, int*, int) + 1216
2   com.apple.JavaScriptCore      	0x00612e88 JSC::RegExp::match(JSC::UString const&, int, WTF::Vector<int, 32ul>*) + 568
3   com.apple.JavaScriptCore      	0x006254b8 __ZN3JSCL22stringProtoFuncReplaceEPNS_9ExecStateEPNS_8JSObjectENS_7JSValueERKNS_7ArgListE + 3768
4   com.apple.JavaScriptCore      	0x00570770 JSC::Interpreter::privateExecute(JSC::Interpreter::ExecutionFlag, JSC::RegisterFile*, JSC::ExecState*, JSC::JSValue*) + 52624
5   com.apple.JavaScriptCore      	0x00576b94 JSC::Interpreter::execute(JSC::FunctionExecutable*, JSC::ExecState*, JSC::JSFunction*, JSC::JSObject*, JSC::ArgList const&, JSC::ScopeChainNode*, JSC::JSValue*) + 1140
6   com.apple.JavaScriptCore      	0x0059153c JSC::JSFunction::call(JSC::ExecState*, JSC::JSValue, JSC::ArgList const&) + 172
7   com.apple.JavaScriptCore      	0x0050f71c JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 156
8   com.apple.WebCore             	0x0179b560 WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) + 1968
9   com.apple.WebCore             	0x01525390 WebCore::EventTarget::fireEventListeners(WebCore::Event*) + 512
10  com.apple.WebCore             	0x014e7008 WebCore::DOMWindow::dispatchEvent(WTF::PassRefPtr<WebCore::Event>, WTF::PassRefPtr<WebCore::EventTarget>) + 440
11  com.apple.WebCore             	0x014e7e2c WebCore::DOMWindow::dispatchLoadEvent() + 300
12  com.apple.WebCore             	0x01452fdc WebCore::Document::implicitClose() + 716
13  com.apple.WebCore             	0x015578e4 WebCore::FrameLoader::checkCompleted() + 180
14  com.apple.WebCore             	0x01557ac4 WebCore::FrameLoader::completed() + 148
15  com.apple.WebCore             	0x015578f8 WebCore::FrameLoader::checkCompleted() + 200
16  com.apple.WebCore             	0x01b25968 WebCore::Loader::Host::didFinishLoading(WebCore::SubresourceLoader*) + 408
17  com.apple.WebCore             	0x01d26f9c WebCore::SubresourceLoader::didFinishLoading() + 76
18  com.apple.Foundation          	0x92372814 _NSURLConnectionDidFinishLoading + 120
19  com.apple.CFNetwork           	0x93d0fd8c URLConnectionClient::_clientDidFinishLoading(URLConnectionClient::ClientConnectionEventQueue*) + 236
20  com.apple.CFNetwork           	0x93d10a08 URLConnectionClient::ClientConnectionEventQueue::processAllEventsAndConsumePayload(XConnectionEventInfo<XClientEvent, XClientEventParams>*, long) + 172
21  com.apple.CFNetwork           	0x93d10cd8 URLConnectionClient::ClientConnectionEventQueue::processAllEventsAndConsumePayload(XConnectionEventInfo<XClientEvent, XClientEventParams>*, long) + 892
22  com.apple.CFNetwork           	0x93d0f500 URLConnectionClient::processEvents() + 132
23  com.apple.CFNetwork           	0x93cb9020 MultiplexerSource::perform() + 168
24  com.apple.CoreFoundation      	0x953270d0 CFRunLoopRunSpecific + 1104
25  com.apple.HIToolbox           	0x90d99b14 RunCurrentEventLoopInMode + 264
26  com.apple.HIToolbox           	0x90d99938 ReceiveNextEventCommon + 412
27  com.apple.HIToolbox           	0x90d99778 BlockUntilNextEventMatchingListInMode + 84
28  com.apple.AppKit              	0x9277d244 _DPSNextEvent + 596
29  com.apple.AppKit              	0x9277cbfc -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 112
30  com.apple.Safari              	0x0000dbf4 0x1000 + 52212
31  com.apple.AppKit              	0x9277689c -[NSApplication run] + 744
32  com.apple.AppKit              	0x92747298 NSApplicationMain + 440
33  com.apple.Safari              	0x0000302c 0x1000 + 8236
Comment 1 Mark Rowe (bdash) 2010-03-13 13:08:12 PST 
*** Bug 36087 has been marked as a duplicate of this bug. ***
Comment 2 Mark Rowe (bdash) 2010-03-13 13:08:16 PST 
*** Bug 36086 has been marked as a duplicate of this bug. ***
Comment 3 Mark Rowe (bdash) 2010-03-13 13:08:52 PST 
<rdar://problem/7751468>
Comment 4 Gavin Barraclough 2010-03-13 15:47:42 PST 
Nothing obvious in this range, will need to test on PPC to find the exact revision causing the problem.
Comment 5 Alexey Proskuryakov 2010-03-13 16:36:25 PST 
*** Bug 36090 has been marked as a duplicate of this bug. ***
Comment 6 Alexey Proskuryakov 2010-03-15 20:34:41 PDT 
*** Bug 36126 has been marked as a duplicate of this bug. ***
Comment 7 Gavin Barraclough 2010-03-16 15:55:30 PDT 
Created attachment 50848 [details]
The patch

The problem is a bug in our port of PCRE - that a read may take place from the first character in an empty string.  For the time being, revert to using a valid pointer in the data segment rather than an invalid non-null pointer into the zero-page for the empty string's data pointer.  A better fix for this will be to remove PCRE.
Comment 8 Oliver Hunt 2010-03-16 15:57:20 PDT 
Comment on attachment 50848 [details]
The patch

r=me
Comment 9 Darin Adler 2010-03-16 15:57:31 PDT 
Comment on attachment 50848 [details]
The patch

> +// FIXME: This works around a bug in our port of pcre, that a regular expression run on the empty string
> +//        may still perform a read from the first element, and as such we need this to be a valid pointer.
> +//        No code should ever be reading from a zero length string, so this should be able to be a non-null
> +//        pointer into the zero-page.  Replace this with 'reinterpret_cast<UChar*>(static_cast<intptr_t>(1))'
> +//        once PCRE goes away.

We don't format our comments this way. The subsequent lines go under FIXME, not indented.

Also, once space after a period.

Also, call it PCRE the first time, not pcre.

> +static UChar emptyUCharData = 0;

This can go inside the function instead out outside at file level.
Comment 10 Gavin Barraclough 2010-03-16 16:15:49 PDT 
Fixed in r56092.